A LISP VM is a big, giant, bloated.... *CHOKE* *COUGH* *SPUTTER* *SUFFOCATE* ... thing which SHOULD NEVER be in the kernel.

If you want to use a more abstract language for describing kernel security policies, fine. Just don't use LISP.

The right way to do it is this:

- A user space interpreter reads text-based config files and converts them into a compact, easy-to-interpret code used by the kernel.

- A VERY TINY kernel component is fed the security policy and executes it.

Move as much of the processing as reasonable into user space. It's absolutely unnecessary to have the parser into the kernel, because parsing of the config files is done only when the ASCII text version changes.

It's absolutely unnecessary to have something as complex as LISP to interpret it, when something simple and compact could do just as well.

Why do you choose LISP? Don't you want to use a language that sysadmins will actually KNOW?